Drupal one of the most popular open source content management system has affected by highly critical vulnerability.

Content management system Drupal just released a statement confirming a “highly critical” vulnerability found in versions 6, 7 and 8. According to an analysis by Sitelock, only 18% of Drupal websites are on the latest update, so there’s over one million vulnerable sites in need of the new security patch.

The vulnerability allows an attacker to take control of an affected site just by visiting it; attackers can then modify or delete the affected websites’ data. They would also have access to non-public data. Luckily the good news is, to Drupal’s knowledge, the issue is not currently being exploited.

Our datacenter techs are putting up a firewall block within the next few hours, but in the meantime, please update your Drupal to the latest version. Here’s the instructions per version:

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.

This issue also affects Drupal 6. Drupal 6 reached End of Life in February 2016.